From 8d9a360b7bbce8d617da9ab74ec02c7e4d26dc01 Mon Sep 17 00:00:00 2001
From: Branko Conjic <branko@stripe.com>
Date: Wed, 30 Oct 2024 16:19:41 -0400
Subject: [PATCH] fix(docs): remove nonces from `script-src`

---
 apps/docs/src/middleware.ts | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/apps/docs/src/middleware.ts b/apps/docs/src/middleware.ts
index 160aae8..2380aee 100644
--- a/apps/docs/src/middleware.ts
+++ b/apps/docs/src/middleware.ts
@@ -49,6 +49,7 @@ function getContentSecurityPolicyHeaderValue(nonce: string, reportUri: string):
     "img-src": [
       `'self'`,
       "cdn.usefathom.com",
+      "cdn.prod.website-files.com",
       "github.com",
       "storage.googleapis.com",
       "stripe.com",
@@ -58,11 +59,7 @@ function getContentSecurityPolicyHeaderValue(nonce: string, reportUri: string):
     "object-src": [`'none'`],
     "report-uri": [reportUri], // for old browsers like Firefox
     "report-to": ["csp"], // for modern browsers like Chrome
-    "script-src": [
-      `'nonce-${nonce}'`,
-      `'unsafe-inline'`, // ignored by browsers that support 'notices/hashes`
-      `'strict-dynamic'`, // force hashes and nonces over domain host lists
-    ],
+    "script-src": [`'self'`, `'unsafe-inline'`],
     "style-src": [`'self'`, `'unsafe-inline'`, "*.lemonsqueezy.com", "fonts.googleapis.com"],
   };